Categories: SecurityWorkspace

Dark Market Zero-Days ‘Selling Regularly For $50k-$100k’

Previously unknown, unpatched vulnerabilities, known as zero-day flaws, are often selling for between $50,000 and $100,000 (£30,ooo-£60,000) on underground hacking forums, according to Symantec researchers.

Despite bug bounty programmes from major software vendors like Microsoft and Google that offer researchers thousands of pounds for their vulnerabilities, underground criminals are still able to offer more, said Candid Wueest, from Symantec’s Security Response team.

Big zero-day money

He said prices for zero-days were rising because they were increasingly difficult to find.

“For code execution through a browser… it often takes a few vulnerabilities together to execute code,” he told TechWeekEurope. “This makes it more difficult to find one and then the prices rise.”

Wueest said it was “a small market but definitely regular” and even if the likes of Microsoft can offer money via bug bounty programmes, there will be someone offering more on the dark web forums.

In 2012, TechWeek heard that a vulnerability affecting Oracle Java was selling for $100,000, but such high sales were a rarity.

Microsoft recently raised the maximum amount it would pay for reported vulnerabilities and also said it would give money out to those who simply alerted the company to zero-days, without having to show how an exploit would work.

Even Tesla, the car manufacturer, has adopted a vulnerability reward programme, indicating there will be more legitimate money on offer for researchers in the coming years.

Yet attackers are still keen to get their hands on such flaws. Symantec told TechWeek it had seen the attackers thought to have been involved in breaching Google in 2009 in action in the last couple of weeks.

The Elderwood hacker group was seen targeting various industries, including government defence contractors, with a number of zero-days, and has continued to operate despite much attention from the security community.

Are you a security pro? Try our quiz!

Thomas Brewster

Tom Brewster is TechWeek Europe's Security Correspondent. He has also been named BT Information Security Journalist of the Year in 2012 and 2013.

Recent Posts

US Widening AI Lead Over China, Finds Stanford Report

US widening lead over China on AI development, as UK places third in Stanford index…

5 mins ago

Amazon To Pump Another $4bn Into AI Start-Up Anthropic

Amazon to invest a further $4bn into AI start-up Anthropic, doubling its investment as it…

35 mins ago

The Cost of Tech Skills

The demand for tech skills is surging, driving economic growth but revealing challenges. Financial costs,…

1 hour ago

Supreme Court Says Meta Must Face Multibillion-Dollar Fraud Lawsuit

US Supreme Court tosses Meta's appeal over Cambridge Analytica-linked investor lawsuit, meaning case must proceed

1 hour ago

Uber Seeks $10m Stake In Pony AI Via IPO

Uber reportedly seeks $10m stake in Chinese autonomous driving firm Pony AI via US IPO,…

2 hours ago

Apple Developing ‘LLM Siri’ AI For 2026

iPhone maker reportedly developing next-generation AI large language model for Siri for spring 2026 as…

2 hours ago